AWS for Enterprise
Both Control Tower and Landing Zone help set up and manage secure multi-account AWS environments. Which one should customers use? Let’s take a closer look and figure out together.
AWS Control Tower is a service that offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.
Figure 1 - Using AWS Control Tower to govern multi-account AWS environments at scale
AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.
Figure 2 - Automating AWS landing zone deployment to speed up large scale migration
Although official documentation explains the difference between AWS Control Tower and AWS Landing Zone, we believe that customers should learn more details about these two offerings. And keep in mind, these solutions are not apples to apples comparable, more like apples to oranges. AWS Landing Zone solution was launched in June 2018, while AWS Control Tower was announced in November 2018 and launched in June 2019. It’s not very clear why in just a couple of months AWS introduced two competing products. Based on our limited experience, we would assume AWS Landing Zone solution was very well received by enterprise customers, but in the same time required fundamental changes which led to AWS Control Tower service. As of time of writing, AWS Control Tower doesn’t support existing setups for AWS Organization or AWS SSO, although official FAQ claims it will be added in the future, as well as ability to migrate from AWS Landing Zone solution to AWS Control Tower service.
Therefore, in summary, which one should we use: AWS Control Tower or AWS Landing Zone? The answer is: depends. If you start from scratch or can afford destroying existing AWS resources, then AWS Control Tower is the way forward. Otherwise, consider AWS Landing Zone and fingers crossed for future migration solution from AWS Landing Zone to AWS Control Tower.